Using security zones to protect both the systems you are responsible for and their content is critical to keep unwanted visitors from your network, in addition to errant downloads that can contain viruses and compromise the health of your networks internally. Using the options available for configuring each of the four security zones in Windows XP gives you as the administrator flexibility in defining a security strategy for your organization.

Like this article? We recommend

Like this article? We recommend

In Windows XP, security zones are grouped into four categories: Restricted
Sites, Trusted Sites, Local Intranet, and Internet. In addition to these
categories, there are additional parameters you can set across zones. Provided
following is a matrix comparing the 21 different parameters and their status by
security zone. First, however, the specific security zones are defined:

Restricted SitesControls user access to Web content on sites
that could potentially damage a computer or its data. Default security for this
zone is High.

Trusted SitesControls user access to Web content on sites
that are explicitly trusted and considered to be free of content that could
damage the computer and its data. The default security level is a slightly
modified version of Low, which allows downloading of unsigned ActiveX controls
and sets Java permissions to Medium security.

Local IntranetControls user access to Web content on the
local network, which can include local (intranet) sites; sites bypassed by the
proxy server; and all network paths, such as Universal Naming Conventions
(UNCs). Default security level is Medium-Low.

InternetControls user access to Web content on all sites not
placed in other zones. The default security level is Medium.

The following table describes the security parameters for each security
level:

Security Parameters

High

Medium

Medium-Low

Low

Download Signed ActiveX Controls

Disable

Prompt

Prompt

Enable

Download Unsigned ActiveX Controls

Disable

Disable

Disable

Prompt

Initialize and Script ActiveX Controls Not Marked as Safe

Disable

Disable

Disable

Prompt

Run ActiveX Controls and Plug-Ins

Disable

Enable

Enable

Enable

File Download

Disable

Enable

Enable

Enable

Font Download

Prompt

Enable

Enable

Enable

Access Data Sources Across Domains

Disable

Disable

Prompt

Enable

Allow Meta Refresh

Disable

Enable

Enable

Enable

Display Mixed Content

Prompt

Prompt

Prompt

Prompt

Don't Prompt for Client Certificate

Disable

Disable

Enable

Enable

Drag and Drop or Copy and Paste Files

Prompt

Enable

Enable

Enable

Installation of Desktop Items

Disable

Prompt

Prompt

Enable

Launching Programs or files in an IFRAME

Disable

Prompt

Prompt

Enable

Navigate Subframes Across Different Domains

Disable

Enable

Enable

Enable

Software Channel Permissions

High Safety

Medium Safety

Medium Safety

Low Safety

Submit Non-Encrypted Form Data

Prompt

Prompt

Enable

Enable

Userdata Persistence

Disable

Enable

Enable

Enable

Active Scripting

Disable

Enable

Enable

Enable

Allow Paste Operations

Disable

Enable

Enable

Enable

Allow Paste Operations via Script

Disable

Enable

Enable

Enable

Scripting of Java Applets

Disable

Enable

Enable

Enable

One of the most common security risks associated with the
factors shown in the table is the enabling of ActiveX controls, plug-ins, Java
applets, scripts, and downloads. If you're a system administrator, be sure
to get a policy together and training to define the specific features you want
to have tailored on ActiveX across company browsers. The fact that JavaScript
has the potential to be a security breach for your system needs to be controlled
through disabling the Scripting of Java Applets option.

Introducing Logon: the Lost Parameter

There's another parameter that isn't typically captured as part of
the tables that define the variables associated with security zones. It's
the Logon parameter, and it determines if user name and password information is
sent automatically to content servers that request it. Any content server
outside of a company can request this data, thereby getting access to user name
and password information.

Due to the ease with which other servers, even outside of your company, can
get user name and password information using this command, nothing but High
security needs to be set. If Logon is set to Medium/High, then Logon is shared
with intranet servers and those sites that have bypassed your proxy servers.
With Logon security set to Low, any server from the intranet and Internet both
can receive user name and password information. Be sure to set this option to
High to make sure your systems are completely secure from inadvertently sending
user name and password information either over the intranet in your organization
or out to content servers on the Internet.